SMS toll fraud is exposing travel and hospitality identity flows

At a glance

What this is: This is an analysis of SMS toll fraud in travel and hospitality, showing how bot-created fake accounts can drive large volumes of verification texts to premium-rate numbers and produce fraudulent telecom charges.

Why it matters: It matters because identity teams need to understand when customer verification, bot control, and fraud prevention intersect, especially where SMS is still being used as part of access and account proofing.

By the numbers:

• Some studies estimate SMS pumping fraud caused businesses around the world more than $6.7 billion in 2021.

👉 Read Arkose Labs' analysis of SMS toll fraud in travel and hospitality

Context

SMS toll fraud is a fraud pattern where attackers create large numbers of fake accounts and steer verification messages toward premium-rate phone numbers to generate charges. In travel and hospitality, the attack blends customer onboarding, SMS verification, and bot traffic into a cost-extraction path that traditional fraud controls often see too late.

The identity governance issue is that SMS-based verification assumes the message recipient and the account creator are behaving in good faith. When bots can industrialise sign-ups, that assumption breaks and verification traffic becomes a billing attack surface, not just an authentication step.

Key questions

Q: How should security teams stop bots from abusing SMS verification flows?

A: Put bot detection, rate limiting, and number intelligence in front of SMS initiation, not after it. If untrusted traffic can trigger outbound verification at scale, the organisation has already lost control of the cost path. The goal is to block or slow suspicious account creation before OTP delivery becomes a billing event.

Q: Why does SMS verification create fraud risk in high-volume consumer journeys?

A: SMS verification becomes risky when the business assumes every account creator is legitimate and every delivery is low-cost. In high-volume journeys such as travel booking, attackers can hide in normal traffic and push messages to premium-rate destinations. The control gap is not SMS itself, but the lack of adversarial assumptions around message initiation.

Q: What do teams get wrong about SMS toll fraud detection?

A: They often focus on finding bad accounts after the fraud has already generated charges. That is too late when the loss is tied to telecom billing. Detection should be paired with preventive controls at registration, number validation, and message-trigger stages so abuse never reaches the send step.

Q: Who should own the response when SMS fraud drives telecom losses?

A: Ownership should sit across IAM, fraud operations, and telecom or customer communications teams, because the problem crosses identity, billing, and customer delivery. If only one group owns it, response will miss part of the attack path. Shared accountability is the only way to manage a loss pattern that looks like fraud to one team and spend leakage to another.

Technical breakdown

How bot traffic turns SMS verification into premium-rate billing

Attackers use automation to register accounts at scale, then supply premium-rate numbers during SMS verification. Each OTP or code sent to those numbers generates a charge, which means the fraud is not limited to account abuse. The business pays for the outbound traffic, and the attacker benefits from the fee-sharing model used by unethical carriers or accomplices. Because the activity resembles legitimate onboarding at a glance, volume and timing matter more than individual message content.

Practical implication: monitor verification volume, number reputation, and destination patterns before SMS workflows can be abused at scale.

Why peak booking periods amplify SMS toll fraud

Travel and hospitality produce heavy bursts of SMS for bookings, loyalty, boarding updates, and promotions, which creates noise that fraudsters can hide inside. Attackers also time campaigns around weekends, holidays, and peak booking seasons when operational attention may be thinner. The problem is not simply message volume. It is the difficulty of distinguishing real customer activity from automated registration surges when the business expects spikes anyway.

Practical implication: baseline normal SMS demand by season and channel so abnormal spikes are measurable rather than anecdotal.

Why traditional fraud controls miss SMS pumping in real time

Traditional fraud systems are often tuned to detect monetary abuse after the fact, not to stop message initiation before it happens. SMS pumping exploits that delay by making each event small, repetitive, and operationally plausible. Once the messages go out, recovery options shrink quickly because the damage is tied to telecom billing rather than a reversible account transaction. That makes preventative bot management more relevant than downstream reimbursement workflows.

Practical implication: place controls at the account-creation and SMS-request layer, not only in post-billing fraud review.

NHI Mgmt Group analysis

SMS toll fraud is really a billing-path identity abuse problem. The article shows that attackers are not trying to steal customer credentials first. They are abusing the trust placed in SMS verification to convert fake sign-ups into recurring telecom charges. That makes the control failure one of identity path validation, not just fraud scoring. Practitioners should treat SMS initiation as a governed identity event, not a neutral delivery channel.

Verification workflows create a hidden trust boundary that attackers can industrialise. Travel and hospitality organisations often treat OTP delivery as a harmless support function, but the billing consequence sits outside the usual IAM control plane. Once bots can create accounts faster than teams can review them, the workflow becomes a machine-scaled abuse surface. The practical implication is that onboarding, bot management, and cost governance need to be analysed together, not in separate teams.

Premium-rate routing exposes a named concept: verification-to-billing drift. In this pattern, a step designed to prove account legitimacy silently shifts into a revenue leak when the destination and volume are attacker-controlled. The article is a clear example of how an identity control can remain technically functional while becoming economically unsafe. Practitioners need to recognise when authentication traffic has drifted into a billing liability.

Travel sector SMS load makes abuse harder to spot, but not harder to govern. High-volume customer communications give fraudsters cover, yet the governance problem is still measurable through anomalies in registration bursts, destination number profiles, and regional campaign timing. That means the issue is less about perfect detection and more about having a control model that assumes adversarial behaviour in customer verification. Teams should redesign the workflow around hostile use, not average customer intent.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams still struggle to inventory machine access before abuse spreads.
• For rotation and offboarding guidance, see NHI Lifecycle Management Guide, which helps teams tighten governance around non-human access.

What this signals

Travel and hospitality teams should treat verification traffic as a governed cost surface, not just a customer experience feature. Once fake accounts can turn OTP delivery into billable abuse, fraud controls need to sit closer to account creation and number validation. The practical shift is to measure message initiation the way finance would measure spend leakage.

A useful framing here is verification-to-billing drift: a legitimate identity step becomes a monetisation path for attackers when destination control is weak. That drift is easier to miss in industries with seasonal traffic, so baseline modelling matters more than ad hoc detection. Teams that already track service account scope and secret hygiene should apply the same discipline to SMS workflows.

For broader identity governance context, compare the article’s abuse pattern with the NHI governance signals in Ultimate Guide to NHIs and the identity lifecycle controls in NHI Lifecycle Management Guide. The lesson is the same across human and non-human flows: if the control assumes honest behaviour, attackers will turn volume into cost.

For practitioners

• Move SMS verification behind bot-adaptive controls Require bot detection or challenge logic before any workflow can trigger outbound verification traffic. This reduces the chance that fake registrations can generate high-cost SMS in bulk.
• Monitor premium-rate destination patterns Flag repeated verification requests that resolve to unusual carriers, regions, or number ranges. That gives security and fraud teams a way to identify abuse before the billing cycle closes.
• Separate customer onboarding from message initiation logic Design the account-creation path so that a verified signup is not automatically allowed to trigger unlimited SMS sends. Add policy checks that can throttle, defer, or block suspicious request bursts.
• Create shared ownership for SMS cost risk Assign joint accountability to IAM, fraud, and telecom operations so verification abuse is tracked as both a security event and a cost event. That alignment makes it easier to respond before losses become irrecoverable.

Key takeaways

• SMS toll fraud turns identity verification into a billing attack surface when bots can create fake accounts at scale.
• The exposure is material because repeated SMS abuse can generate millions in losses before teams detect the pattern.
• Preventive bot controls, destination validation, and shared ownership are the controls most likely to stop losses before they harden into telecom bills.

Key terms

• SMS toll fraud: SMS toll fraud is an abuse pattern where attackers cause a business to send large volumes of verification messages to numbers that generate revenue for the attacker or a complicit carrier. The result is a telecom bill rather than a direct account compromise, so the loss often appears as operational spend leakage.
• Premium-rate number: A premium-rate number is a telephone destination that charges above standard rates for incoming messages or calls. In fraud campaigns, attackers steer verification traffic toward these numbers so the target business pays inflated delivery costs while the attacker or accomplice receives a share of the revenue.
• Verification-to-billing drift: Verification-to-billing drift is a governance failure where a control meant to confirm identity becomes a mechanism for generating cost. In practice, it happens when SMS or similar delivery workflows are not constrained against hostile inputs, allowing adversaries to turn authentication steps into financial exposure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: Attackers are using bots to scale up SMS toll fraud in travel and hospitality. Read the original.